b'September 25, 2003\nAudit Report No. 03-042\n\n\nBusiness Continuity Planning at\nFDIC-Supervised Institutions\n\n\n\n\n                0\n\x0c                                                    TABLE OF CONTENTS\n\nBACKGROUND ........................................................................................................................... 2\n   Business Continuity Planning: An Industry Perspective ...................................................... 4\n   DSC\xe2\x80\x99s Approach to Examining Business Continuity Planning at FDIC-Supervised\n   Institutions ................................................................................................................................. 6\nRESULTS OF EVALUATION .................................................................................................... 7\nFINDING A: DSC ACTIVELY PARTICIPATES IN EFFORTS TO ADDRESS\nBUSINESS CONTINUITY PLANNING.................................................................................... 8\n   DSC Participation in the FFIEC ............................................................................................. 8\n   DSC Participation in the Financial and Banking Information\n   Infrastructure Committee........................................................................................................ 9\n   Examiner Training Stresses Enterprise-Wide Business Continuity Planning .................. 10\n   IT Examiner\xe2\x80\x99s Implementation of DSC\xe2\x80\x99s Approach to Business Continuity\n   Planning at FDIC-Supervised Institutions ........................................................................... 10\nFINDING B: DSC\xe2\x80\x99S EXAMINATION APPROACH TO BUSINESS CONTINUITY\nPLANNING ................................................................................................................................. 11\n   Key Elements of Business Continuity Planning ................................................................... 11\nCORPORATION COMMENTS AND OIG EVALUATION................................................. 15\nAPPENDIX I: OBJECTIVE, SCOPE, AND METHODOLOGY.......................................... 16\nAPPENDIX II: GLOSSARY ..................................................................................................... 19\nAPPENDIX III: CORPORATION COMMENTS .................................................................. 20\nAPPENDIX IV: MANAGEMENT RESPONSES TO RECOMMENDATIONS................. 21\nTABLES\n       Table 1: FDIC-Supervised Institutions Statistics............................................................... 3\n       Table 2: Technology Risk Profile and Applicable Examination Procedures................. 7\n       Table 3: Common BCP Elements ...................................................................................... 12\n       Table 4: BCP Common Elements That Need To Be Addressed in DSC\xe2\x80\x99s Approach.. 13\nFIGURE\n       Business Continuity and Disaster Recovery ....................................................................... 5\n\n\n\n\n                                                                        1\n\x0cFederal Deposit Insurance Corporation\n801 17th St. NW Washington DC. 20434                                                 Office of Inspector General\n\n\n\n\nDATE:                                  September 25, 2003\n\nMEMORANDUM TO:                         Michael J. Zamorski\n                                       Director, Division of Supervision and Consumer Protection\n\n\n\nFROM:                                  Russell A. Rau\n                                       Assistant Inspector General for Audits\n\nSUBJECT:                               Final Report Entitled Business Continuity Planning at\n                                       FDIC-Supervised Institutions\n                                       (Evaluation Report No. 03-042)\n\n\nThis report presents the results of our evaluation of business continuity planning at Federal\nDeposit Insurance Corporation (FDIC)-supervised institutions. Financ ial institutions play a\ncrucial role in the U.S. economy. Therefore, business operations of financial institutions must be\nresilient, and the effects of disruptions in service must be minimized in order to maintain public\ntrust and confidence in our financial system.\n\nA business continuity plan (BCP) is a comprehensive, written plan developed to maintain or\nresume operations, including service to customers, in the event of a disruption. Effective BCPs\nare building blocks for ensuring the safety and soundness of the nation\xe2\x80\x99s financial system. The\nobjectives of a BCP are to minimize financial loss to the institution, continue to serve customers\nand financial market participants, and mitigate the negative effects disruptions can have on an\ninstitution\xe2\x80\x99s strategic plans, reputation, operations, liquidity, credit quality, market position, and\nability to remain in compliance with applicable laws and regulations.\n\nThe objective of our evaluation was to determine the adequacy of the Division of Supervisio n\nand Consumer Protection\xe2\x80\x99s (DSC) approach to assessing BCPs at FDIC-supervised institutions.\nSee Appendix I for details of our objective, scope, and methodology. Appendix II contains a\nglossary of terms used in our report.\n\n\nBACKGROUND\n\nBusiness continuity planning is important for all federally insured institutions regardless of size\nand complexity of the institution. According to the Federal Financial Institutions Examination\nCouncil (FFIEC), financial institutions that play significant roles in critical financial markets are\nthose that participate in sufficient volume or value such that their failure to perform critical\n\n\n\n                                                        2\n\x0cactivities by the end of the business day could present\nsystemic risk. Financial institutions not directly         The FFIEC is a formal interagency\nparticipating in critical financial markets, but           body empowered to prescribe\n                                                           uniform principles, standards, and\nnonetheless performing financial services or               report forms for the federal\nsupporting financial activities deemed critical to         examination of financial institutions\nregional or national financial sectors, are also           by the five federal financial\nexpected to establish BCPs and recovery capabilities       regulatory agencies and to make\ncommensurate with their role. Smaller, less complex        recommendations to promote\n                                                           uniformity in the supervision of\ninstitutions generally do not need the same level of       financial institutions.\nplanning, but are expected to fulfill their\nresponsibility by developing appropriate BCPs and\nperiodically conducting adequate tests of their readiness. The key concepts of business continuity\nplanning should be considered in the development of every BCP, but the degree to which they\nare actually implemented should be relative to the risks associated with the particular entity and\nits size and complexity.\n\nAs shown in Table 1, small- and medium- size financial institutions account for 99 percent of all\nFDIC-insured financial institutions 1 and 31 percent of all assets held in insured financial\ninstitutions. The FDIC has primary supervisory responsibility for 5,446, or 59 percent of all\nsmall- to medium-size financial institutions, with $1.3 trillion in assets, or 47 percent of all assets\nheld by all insured financial institutions.\n\nTable 1: FDIC-Supervised Institutions Statistics\n                         All FDIC-Insured\n                                                                              FDIC-Supervised Institutions\n                            Institutions\nCategory                                                                                       Percent of FDIC-\n                                       Percent\n                      Number                                               Number              Supervised to All\n                                       of Total\n                                                                                              Insured Institutions\nLarge                                  109                 1%                  19                      17%\nSmall and Medium                     9,205               99%                5,446                      59%\nTotal                                9,314              100%                5,465                      59%\n\n                                      All FDIC-Insured\n                                                                              FDIC-Supervised Institutions\n                                         Institutions\nCategory                                                                                       Percent of FDIC-\n                                Total Assets           Percent          Total Assets\n                                                                                               Supervised to All\n                                 (millions)            of Total          (millions)\n                                                                                              Insured Institutions\nLarge                       $5,940,053            69%                     $434,353                      7%\nSmall and Medium            $2,665,991            31%                    $1,257,742                    47%\nTotal                       $8,606,044           100%                    $1,692,095                   20%\nSource: FDIC Statistics on Banking, March 30, 2003.\n\nThe FDIC supervises the majority of small- and medium-size institutions and plays a critical\nrole, through its supervisory examination responsibilities, in promoting safe and sound\n\n\n1\n    Small- to medium-size institutions are defined as having less than $10 billion in total assets.\n\n\n                                                             3\n\x0cmanagement practices, which include assessing whether these institutions are prepared to\nrespond to events, such as natural disasters, malicious activities, and/or technical disasters that\ncould cause a disruption to business operations.\n\n\nBusiness Continuity Planning: An Industry Perspective\n\nThe Year 2000 problem was technical in nature\nand generated much guidance from the federal              \xe2\x80\x9cIn enterprise-wide business continuity\n                                                          planning an institution considers every\ngovernment as well as the private sector on how           critical aspect of its business in creating a\norganizations should take steps to ensure that their      plan for how it will respond to\ncore business processes would not be disrupted in         disruptions. It is not limited to the\nthe event that year-date data could not be                restoration of information technology\nprocessed for years beyond 2000. After the                systems and services, or data maintained\n                                                          in electronic form, since such actions, by\nSeptember 11, 2001 terrorist attacks, the federal         themselves, cannot always put an\ngovernment and private sector organizations               institution back in business.\xe2\x80\x9d\nrecognized that although technology was the                -- FFIEC Business Continuity Booklet\nprimary basis for concern for Year 2000, an\nenterprise-wide, process-oriented approach that considers techno logy, business processes,\ntesting, and communication strategies is critical to building a viable BCP. According to the\nGeneral Accounting Office, 2 the terrorist attacks revealed limitations in many financial market\nparticipants\xe2\x80\x99 BCPs for addressing such a widespread disaster. These factors included a lack of\nbackup facilities that were sufficiently geographically dispersed or comprehensive enough to\nconduct all critical operations, unanticipated loss of telecommunications service, and difficulties\nin locating staff and transporting them to new facilities.\n\nInformation security consultants, business continuity consultants, and the FFIEC agree that\nbusiness continuity planning should be conducted on an enterprise-wide basis. Without a BCP\nthat considers every critical business unit, including personnel, physical workspace, and similar\nissues, an institution may not be able to resume servicing its customers at acceptable levels.\n\nBusiness continuity planning is the process of proactively developing, documenting, and\nintegrating processes and procedures and enabling technologies that will allow an organization to\nrespond to a disruption in such a manner that critical business functions will continue with\nminimal, if any, interruption or significant changes until such time as normal facilities are\nrestored. Industry consultants agree that business continuity planning takes into account the\nrecovery of the business, not just information technology (IT) systems. Conversely, disaster\nrecovery planning is an IT function. A disaster recovery plan documents the actions that will be\ntaken to restore computer processing, applications, telecommunications services, and data after a\ndisruption or disaster event to prevent, or at least minimize, the relative impacts on a business.\nBusiness continuity planning focuses on avoiding or mitigating the impact of a risk; whereas\ndisaster recovery focuses on restoring the organization to business as usual after a disruption\noccurs.\n\n\n2\n GAO-03-414, Potential Terrorist Attacks: Additional Actions Needed to Better Prepare Critical Financial Market\nParticipants, dated February 2003.\n\n\n                                                       4\n\x0cThe FFIEC\xe2\x80\x99s Business Continuity Planning booklet 3 discusses four basic components to business\ncontinuity planning: the business impact analysis, risk assessment, risk management, and risk\nmonitoring. This planning framework is usable regardless of the size of the financial institution.\nBusiness continuity planning encompasses the full restoration process of all business operations,\nincluding IT, and is a function and responsibility of the entire organization.\n\nDisaster recovery planning enables business continuity planning and, as shown below, is a\ncritical component of the business continuity planning process.\n\nBusiness Continuity and Disaster Recovery\n\n\n\n\n                                          Focus on People and\n                                    Processes to Recover the Business\n\n                           Perform Business Impact Analysis\n                           \xe2\x80\xa2   Identify potential impact on all business\n                               processes\n                           \xe2\x80\xa2   Identify critical business\n                               functions and resources\n                               to maintain them\n                           Risk Assessment\n                           \xe2\x80\xa2   Identify various disruption\n                               scenarios                             Focuses on IT Systems\n                           Risk Management                            Following a Disruption\n                           \xe2\x80\xa2   Plan addresses how\n                               critical business                 \xe2\x80\xa2   Retrieval or re-creation of\n                               functions will be                     critical computer processing,\n                               restored                              applications,\n                           \xe2\x80\xa2   Plan addresses loss                   telecommunications services ,\n                               of key personnel                      and data after a disruption\n                           Risk Monitoring                       \xe2\x80\xa2   Clearly defines backup and\n                           \xe2\x80\xa2   Test the plan                         recovery techniques\n                           \xe2\x80\xa2   Train employees\n                           \xe2\x80\xa2   Ensure independent audit\n                               review\n                           \xe2\x80\xa2   Update plan periodically\n\n\n\n\nSource: OIG Analysis of Industry Sources.\n\n\n\n3\n In May 2003, the FFIEC issued revised guidance for examiners and financial institutions on business continuity\nplanning. The guidance is contained in the booklet, entitled, Business Continuity Planning (BCP Booklet). The BCP\nBooklet provides guidance and examination procedures to assist examiners in evaluating financial institution and\nservice provider risk management processes to ensure the availability of critical financial services.\n\n\n\n\n                                                       5\n\x0cDSC\xe2\x80\x99s Approach to Examining Business Continuity Planning at FDIC-Supervised\nInstitutions\n\nDSC reviews BCP as part of its IT examinations of FDIC-supervised institutions and its\nexaminations of organizations that provide IT services to FDIC-supervised institutions. DSC\nrevised its IT examination approach in September 2002 as a result of an initiative undertaken to\nimprove the effectiveness and efficiency of IT examinations of the least complex financial\ninstitutions. As part of its revision, DSC implemented new IT examination guidance and two\nnew related work programs that were designed toward a more risk- focused IT examination\napproach:\n\n   \xe2\x80\xa2   The IT-MERIT (Maximum Efficiency, Risk-Focused, Institution Targeted) Procedures\n       were developed for examiners conducting technology risk reviews at FDIC-supervised\n       financial institutions with the least technology risk.\n\n   \xe2\x80\xa2   The IT General Work Program was developed for examiners conducting technology risk\n       reviews at FDIC-supervised financial institutions with low to moderate technology risk.\n\nFor financial institutions with greater technology risk, examiners are expected to continue using\nguidance and work programs issued by the FFIEC (FFIEC Work Programs) that are found in the\n1996 FFIEC Information Systems Examination Handbook (Handbook). The FFIEC is updating\nthe Handbook to address significant changes in technology since 1996 and to incorporate a more\nrisk-based examination approach. The FFIEC\xe2\x80\x99s updates are being issued in separate booklets\nthat will ultimately replace all chapters of the Handbook and comprise the new FFIEC\nInformation Technology Examination Handbook. The BCP Booklet is one in a series of updates\nbeing made to the Handbook. The BCP Booklet rescinded and replaced Chapter 10, Corporate\nContingency Planning, of the Handbook.\n\nTo address the different levels of technology risk at financial institutions, DSC defined four\n\xe2\x80\x9ctypes\xe2\x80\x9d of financial institutions based on their technology risk profile and implemented the\nTechnology Profile Script (TPS) to assist in determining an institution\xe2\x80\x99s technology risk profile\ntype. Before beginning an IT examination, DSC responds to questions in the TPS based on\nDSC\xe2\x80\x99s review of an institution\xe2\x80\x99s core processing systems, networks, electronic banking\n(E-Banking) products, and other technology components. The responses to the TPS yield a\nnumeric score that correlates to the assigned type of the institution. This measurement of\ntechnological complexity is intended to allow examiners to focus examination efforts on high-\nrisk institutions. The determination of an institution\xe2\x80\x99s type is the key factor in determining\nwhich examination procedures (IT MERIT, IT General Work Program, or FFIEC Work\nPrograms) will be used. Further, managers may use the TPS to allocate examination resources,\nsuch as matching examiner skills to the complexity of the institut ion, or determining training\nneeds. Table 2 shows the examination procedures to be used for each technology type.\n\n\n\n\n                                                 6\n\x0cTable 2: Technology Risk Profile and Applicable Examination Procedures\n    TPS                                                                                      IT Examination\n                                          Description\n    Type                                                                                     Procedures Used\n           Limited Networking and E-Banking; No in -house programming or core\nType I     processing;                                                                   IT-MERIT Procedures\n           Minimal external threats;\n           Primary risks: Core banking system or vendor management;\n           Does not have an examination history of less than satisfactory ratings.\n\n           Same as Type I, except that the institution has an examination history of\nType II    less than satisfactory ratings.                                               IT General Work Program\n\n           Fully integrated networking;\nType III   Increased external threats from E-banking and Internet connections;           IT General Work Program,\n           Increased operational risks from limited programming activities or            supplemented with FFIEC\n           servicing responsibilities.                                                   Work Programs, as needed\n\n           Reliance upon networks and other communication systems as a critical\nType IV    element of operations;                                                        FFIEC Work Programs\n           Networking and Internet connectivity relied upon as critical\n           communications medium;\n           Risk of compromise or access to critical systems resulting from Internet\n           and other wide-area network connections, is present;\n           Complex technology.\n\nSource: DSC Examination Guidance, September 2002.\n\n\n\nRESULTS OF EVALUATION\n\nDSC has actively promoted sound business continuity planning practices in financial institutions.\nThrough its participation in the FFIEC, DSC was the primary author of interagency guidance on\nbusiness continuity planning. This guidance organizes key elements of business continuity\nplanning into an easily readable and usable format that will assist bankers in developing, and\nexaminers in assessing, BCPs at financial institutions. DSC also examines the services\nperformed for FDIC-supervised institutions by technology service providers (TSP). 4 These\nexaminations include an assessment of the TSP\xe2\x80\x99s business continuity planning. Through its\nparticipation in the Financial and Bank ing Information Infrastructure Committee (FBIIC), 5 DSC\nhas worked to assess the vulnerabilities and risks facing the banking industry. DSC has also\nincorporated key elements of business continuity planning into the curriculum of its in-house\ntraining program for examiners. Further, for a sample of IT examinations we reviewed, we\nconcluded that DSC examiners generally used the appropriate work programs and adequately\ndocumented the procedures performed and the conclusions reached, in accordance with DSC\xe2\x80\x99s\napproach to IT examinations (See Finding A: DSC Actively Participates in Efforts to\nAddress Business Continuity Planning).\n\n4\n  TSPs are third-party companies that provide information technology support to financial institutions.\n5\n  The FBIIC was created by Executive Order 13231. The FBIIC is charged with coordinating federal and state\nfinancial regulatory efforts to improve the reliability and security of the U.S. financial system. The Department of\nthe Treasury\xe2\x80\x99s Assistant Secretary for Financial Institutions chairs the committee.\n\n\n                                                          7\n\x0cDSC\xe2\x80\x99s newly implemented examination work programs, however, do not always address certain\nkey elements that should be included in every BCP, regardless of the size and complexity of the\nfinancial institution being examined. Specifically, the IT MERIT Procedures and IT General\nWork Program, used for IT examinations of Type I, Type II, or Type III institutions, focus\nlargely on disaster recovery planning (an IT function) as opposed to enterprise-wide business\ncontinuity planning (overall business concerns, such as the people, management succession, and\nbackup sites). As a result, DSC supervisory examinations may not be adequately assessing\nwhether most FDIC-supervised institutions would be able to effectively respond to a disruption\nand maintain critical business functions until those functions are fully restored (See Finding B:\nDSC\xe2\x80\x99s Examination Approach to Business Continuity Planning ).\n\n\n\n                       FINDINGS AND RECOMMENDATION\n\nFINDING A: DSC ACTIVELY PARTICIPATES IN EFFORTS TO ADDRESS\nBUSINESS CONTINUITY PLANNING\n\nDSC has actively promoted sound business continuity planning practices in financial institutions\nthrough its involvement in the FFIEC and FBIIC and through its in-house examiner training\nprogram. Further, we determined that, generally, DSC\xe2\x80\x99s assessments of BCPs at\nFDIC-supervised institutions and TSPs were conducted and adequately documented in\naccordance with established guidelines.\n\n\nDSC Participation in the FFIEC\n\nMembers of DSC\xe2\x80\x99s E-Banking Branch, through their affiliation with the FFIEC\xe2\x80\x99s Task Force on\nSupervision, were the primary authors of the BCP Booklet. DSC\xe2\x80\x99s approach to IT examinations\nrequires examiners to consider using FFIEC Work Programs for IT examinations of Type III and\nType IV institutions. Therefore, with the release of the FFIEC updated guidance, the BCP\nBooklet has become the examiner\xe2\x80\x99s primary source of guidance in assessing business continuity\nplanning at these financial institutions and TSPs.\n\nIn July 2002, DSC circulated the draft BCP booklet to examiners for field testing in a\ncoordinated effort with other FFIEC agencies. DSC examiners were asked to incorporate the\nwork steps into their IT examinations conducted through August 2002 and to provide feedback\non the following:\n\n       Relevance and accuracy of subject                Adequacy of information to assess risk\n       Definitions of BCP concepts                      Length of time to complete steps\n       Length of booklet                                Helpfulness in setting exam scope\n       Clarity of material                              Necessity of training\n\nDSC incorporated the feedback into the final BCP booklet, which was issued in May 2003. As\ndiscussed later in our report, we found that the BCP booklet addresses all of the key elements of\n\n\n                                                8\n\x0cbusiness continuity planning that we identified from our research of industry sources. The BCP\nbooklet also organizes the elements into an easily readable and usable work program format that\nwill assist bankers and examiners in developing and assessing, respectively, BCPs at financial\ninstitutions.\n\nAlso through its membership in the FFIEC, DSC participates in various other non-bank IT\nexaminations. Two noteworthy reviews are the TSP and Multi- Regional Data Processing\nServicers (MDPS) Examinations. The FFIEC agencies examine TSPs to identify existing or\npotential risks that could adversely affect serviced financial institutions. When a large TSP is\nregional or national in scope and services more than one class of financial institutions, the FFIEC\nevaluates the TSP for selection into the MDPS program. The FFIEC agencies examine MDPS\norganizations because these entities pose a systemic risk to the banking system should one or\nmore have operational or financial problems or fail. When conducting these IT examinations,\nexaminers focus on the underlying risk issues that are common to all IT activities, including the\navailability of services that the TSP or MDPS organization is providing to the financial\ninstitution. During these examinations, the effectiveness of the organization\xe2\x80\x99s business\ncontinuity program and adherence to service- level agreements is reviewed. Therefore, DSC\xe2\x80\x99s\nparticipation in these examinations helps to ensure that key service providers of FDIC-supervised\ninstitutions are maintaining adequate BCPs for key processes that will facilitate the serviced\ninstitutions\xe2\x80\x99 ability to provide critical services to their customers in the event of a disruption.\n\n\nDSC Participation in the Financial and Banking Information Infrastructure Committee\n\nDSC officials also participate in various working groups within the FBIIC. The FBIIC has taken\nactions designed to assess potential systemic vulnerabilities of the U.S. financial system to\ndisruptions caused by electronic or physical destruction of critical sector assets. Understanding\nthese systemic vulnerabilities will enhance a financial institution\xe2\x80\x99s ability to appropriately\nidentify how its business processes and customers would be affected by such disruptions, which\nis a key element in developing a BCP.\n\nOne ongoing FBIIC initiative is the development of a vulnerability assessment that will assess\nthe resilience of the retail banking system in the post-September 11 environment. Retail banking\nservices are services offered by or through federally insured depository institutions, such as most\nFDIC-supervised institutions, to individuals and households. The objective of the vulnerability\nassessment is to determine whether key single points of failure exist that would have a material\neffect on the retail financial system. Although these initiatives are led by the Department of the\nTreasury, DSC\xe2\x80\x99s role is to meet periodically with the members of the Vulnerability Assessment\nWorking Group and to review and provide comments on the draft report. The vulnerability\nassessment for the retail banking system is slated to be finalized in the fall of 2003.\n\nDSC also participated in FBIIC\xe2\x80\x99s Telecommunications Working Group, which was responsible\nfor developing two programs, described below, to enhance communication between financial\ninstitution regulators and sponsored affiliated institutions in the event that important\ntelecommunication services are disrupted:\n\n\n\n\n                                                 9\n\x0c   \xe2\x80\xa2   Government Emergency Telecommunications Service (GETS) Card Program, which\n       allows priority of telecommunication services to qualified users; and\n\n   \xe2\x80\xa2   Telecommunications Service Priority Program, which allows sponsored institutions\n       priority service restoration or provisioning of telecommunication circuits.\n\nDSC\xe2\x80\x99s role in these programs has been to review applications for sponsorship submitted by\nFDIC-supervised institutions and to make recommendations to the Department of the Treasury\nfor sponsorship, in accordance with policy established by the FBIIC.\n\nDSC officials are also members of other FBIIC working groups, including the Communications\nWorking Group. The Communications Working Group is responsible for the FBIIC\xe2\x80\x99s Web site\nand the speaker\xe2\x80\x99s bureau and outreach and for communicating U.S. Department of Homeland\nSecurity information to the banking sector.\n\n\nExaminer Training Stresses Enterprise-Wide Business Continuity Planning\n\nThe FDIC\xe2\x80\x99s Corporate University, School of Supervision and Consumer Protection, offers\ntechnical training programs for risk management and compliance. One of the risk mana gement\ntraining courses is the Information Technology Exam Course (ITEC). This training program\nprovides an opportunity for participants to take part in a series of case studies designed to\nreinforce concepts and techniques that will further an examiner\xe2\x80\x99s ability to assess a financial\ninstitution\xe2\x80\x99s technology risk through use of the IT General Work Program and other IT\nexamination tools. The course includes a segment on the evaluation of the adequacy of business\ncontinuity planning/disaster recovery planning processes. The course content adequately\naddressed the concepts of enterprise-wide business continuity planning, including concepts\ncontained in the FFIEC\xe2\x80\x99s BCP Booklet. Therefore, DSC provides training to its IT examiners\nthat stresses the importance of enterprise-wide business continuity planning at financial\ninstitutions and the examination procedures that should be applied in assessing an institution\xe2\x80\x99s\nbusiness continuity planning.\n\n\nIT Examiner\xe2\x80\x99s Implementation of DSC\xe2\x80\x99s Approach to Business Continuity Planning at\nFDIC-Supervised Institutions\n\nWe reviewed IT examination workpapers for 10 judgmentally selected IT examinations. The\npurpose of our review was to determine whether the examiners\xe2\x80\x99 reviews of BCPs at\nFDIC-supervised institutions were cons istent with DSC\xe2\x80\x99s IT examination approach that was\nimplemented in September 2002. Based on our review of examination workpapers, we\nconcluded that DSC examiners used the TPS to determine the technology risk profile type of the\ninstitution and used the appropriate work program(s) to complete the examination. We did not\ntest the accuracy of the responses to the TPS because those tests would have been outside the\nscope of this evaluation.\n\n\n\n\n                                               10\n\x0cAlthough there is no written requirement for DSC examiners to review business continuity\nplanning at each IT exam, senior management at the regional offices we visited told us that they\nrequire their examiners to review BCPs as part of each IT exam. For each of the 10\nexaminations reviewed, we were able to determine from the examination workpapers: the\nprocedures performed by the examiner, the conclusions reached, and any matters that warranted\ndiscussion in the Report on Examination regarding business continuity planning. Therefore, we\nare reasonably assured that DSC examiners are conducting their reviews of business continuity\nplanning in accordance with DSC\xe2\x80\x99s established guidance.\n\n\nFINDING B: DSC\xe2\x80\x99S EXAMINATION APPROACH TO BUSINESS\nCONTINUITY PLANNING\n\nDSC\xe2\x80\x99s examination approach to assessing business continuity pla nning at FDIC-supervised\ninstitutions does not address certain key elements that should be included in every BCP,\nregardless of the size and complexity of the financial institution. DSC reviews business\ncontinuity planning at FDIC-supervised institutions as part of its IT examination program. The\nIT MERIT Procedures, used for IT examinations of Type I institutions, and the IT General Work\nProgram, used for IT examinations of Types II and III institutions, focus on disaster recovery\nplanning not business continuity planning. DSC was aware of the FFIEC\xe2\x80\x99s efforts to develop a\nBCP Booklet at the time that the IT MERIT and IT General Work procedures were being\ndeveloped. However, DSC focused solely on developing procedures for IT-related functions\nbecause the procedures were for IT examinations. As a result, DSC\xe2\x80\x99s supervisory examinations\nmay not be adequately assessing whether most FDIC-supervised institutions would be able to\neffectively respond to a disruption and maintain critical business functions until those functions\nare fully restored.\n\n\nKey Elements of Business Continuity Planning\n\nWe researched business continuity planning guidance from a variety of industry sources. These\nsources included a cross-section of government, private consultants, and federal financial\nregulatory agencies that identified common elements of business continuity planning that should\nbe addressed by a business entity, regardless of its size and complexity. In July 2003, we\nprovided 14 common business continuity planning elements to DSC management officials in the\nWashington and Regional Offices for their review and comment. DSC officials agreed that the\n14 elements should be included in a financial institution\xe2\x80\x99s BCP and that the degree to which they\nare implemented is determined by the risks associated with the particular entity and its size and\ncomplexity. Table 3 identifies the business continuity planning elements, the industry sources,\nand whether the concepts were included in the published guidance.\n\n\n\n\n                                                11\n\x0cTable 3: Common BCP Elements\n\n\n\n\n                                                                                   Interagency\n                                                                         FISCAMa\n\n\n\n\n                                                                                                                  ISACAe\n                                                                                                 FEMAc\n\n\n\n\n                                                                                                                           FFIECf\n                                                                                   Paperb\n\n\n\n\n                                                                                                         NIST d\nCommon Elements of Business Continuity Planning\n\nBoard of Directors and senior management are involved in and\n                                                                         X         X             X       X        X        X\ncommitted to business continuity planning.\nPlan is documented and made policy.                                      X         X             X       X        X        X\nAddresses various business threat/ disruption scenarios.\n                                                                         X         X             X                X        X\n\nBusiness Impact Analysis is performed on an enterprise-wide\nbasis. All critical business functions/assets are identified and         X         X             X       X        X        X\nprioritized, not just technology function/assets.\nIs updated as changes in technology/business processes warrant.\n                                                                         X                               X        X        X\n\nProvides for alternate telecommunication services/interoperable\n                                                                         X         X             X                X        X\ncommunications.\n\nProvides for alternative processing sites located an appropriate\n                                                                         X         X             X       X        X        X\ndistance away.\nCritical data files are backed up appropriately and stored off-\nsite an appropriate distance away from the data processing               X         X             X       X        X        X\nfacility.\nIncludes a plan for succession and/or loss or inaccessibility of key\n                                                                         X         X             X       X        X        X\nstaff.\n\nStaff is aware of responsibilities under the plan and is\n                                                                         X                       X       X        X        X\nadequately trained.\nKey contractors/service providers are identified; backup\n                                                                         X                               X        X        X\narrangements are in contract.\nInsurance coverage adequately mitigates risk.                                                                     X        X\nPlan is routinely tested, results are analyzed, and corrective actions\n                                                                         X         X             X       X        X        X\nare taken.\nBCP and test results are subject to independent audit.                                                            X        X\nSource: OIG Analysis.\nNotes:\na\n  The General Accounting Office, Accounting and Information Management Division issued, \xe2\x80\x9cFederal Information\nSystem Controls Audit Manual\xe2\x80\x9d (FISCAM) in January 1999.\nb\n  "Interagency Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System" was issued by\nthe Federal Reserve Board, the Office of the Comptroller of the Currency, and the Securities and Exchange\nCommission in April 2003.\nc\n  Federal Emergency Management Agency, "Federal Preparedness Circular 65," July 26, 1999.\nd\n  National Institute of Standards and Technology (NIST), Technology Administration, U.S. Department of\nCommerce, Special Publication 800-34, \xe2\x80\x9cContingency Planning Guide for Information Technology Systems,\nRecommendations of the National Institute of Standards and Technology,\xe2\x80\x9d dated June 2002.\ne\n  Information Systems Audit and Control Association (ISACA), \xe2\x80\x9cCertified Information Systems Auditor Review\nManual.\xe2\x80\x9d\nf\n  "FFIEC Business Continuity Handbook" issued in May 2003.\n\n\n\n                                                           12\n\x0cWe concluded that DSC\xe2\x80\x99s approach to reviewing BCPs at FDIC-supervised institutions does not\nalways incorporate the mo re enterprise-wide elements of business continuity planning and\ninstead focuses on the IT aspects of disaster recovery planning. As Table 4 shows, our\nevaluation of DSC\xe2\x80\x99s approach to assessing business continuity planning indicates that 7 of the\n14 BCP common elements identified in Table 3 either are not adequately addressed in the IT\nMERIT and IT General Work Program procedures or are not addressed at all.\n\nTable 4: BCP Common Elements That Need To Be Addressed in DSC\xe2\x80\x99s Approach\n                                               IT Merit            IT General\nBCP Common Elements\n                                              Procedures         Work Program\nBusiness Impact Analysis is performed on an enterprise-            Not adequately   Not adequately addressed\nwide basis. All critical business functions/assets are             addressed\nidentified and prioritized, not just technology function/assets.\nUpdates to BCP should be made as changes in                        Not adequately   Not adequately addressed\ntechnology/business processes warrant.                             addressed\n\nBCPs should provide for alternate telecommunication                Not addressed    Not addressed\nservices, interoperable communications, and utilities.\n\nBCPs should provide for alternate processing sites located an      Not addressed    Adequately addressed\nappropriate distance away.\n\nBCPs should address a plan for management succession or            Not addressed    Not adequately addressed\nloss or inaccessibility of key staff.\n\nBCPs should ensure that employees are aware of                     Not adequately   Adequately addressed\nresponsibilities under the BCP and are adequately trained to       addressed\ncarry out the plan and procedures.\n\nKey contractors and service providers are identified and           Not adequately   Not adequately addressed\nbackup arrangements are in the contract.                           addressed\n\nSource: OIG Analysis of BCP Common Elements and IT Examination Guidance.\n\nBecause the underlying purpose of business continuity planning is the resumption of business\noperations, it is essential to consider the entire organization, not just technology, when\ndeveloping the plan. Further, BCPs should be reviewed periodically and updated to reflect and\nrespond to changes in the financial institution or its TSP, business processes, technology,\nchanges in key personnel, and the internal and external environments of the institution. Financial\ninstitutions should plan for alternative telecommunication services and utilities and alternative\nprocessing site(s) if the primary sources become inaccessible and/or unavailable for use.\nFurther, in making the arrangements for alternative telecommunications, utilities or physical\nwork sites, BCPs should ensure that alternative telecommunications and utilities are not\nsusceptible to single points of failure and that alternative facilities are not vulnerable to the same\nset of risks as the primary location.\n\nAdditionally, BCPs should include management succession plans and plans for loss or\ninaccessibility of key staff. Cross-training of employees should be utilized, and backup roles and\nresponsibilities should be clearly defined in the BCP should key personnel not be available to\nrestore operations. Further, staff should be fully aware of their responsibilities under the BCP\nand should be aware of the risks of not fulfilling those duties. Finally, institutions should ensure\n\n\n                                                           13\n\x0cthat all key contractors, vendors, suppliers, and service providers are identified and that the BCPs\ninclude provisions if accessibility to these outsourced services becomes unavailable.\n\nDSC officials agreed that the IT MERIT Procedures and IT General Work Program focus more\non IT than enterprise-wide aspects of business continuity planning. The FFIEC\xe2\x80\x99s draft BCP\nbooklet was circulated to DSC examiners for field testing in July 2002, or 2 months before the\nSeptember 2002 release of DSC\xe2\x80\x99s revised IT examination guidance. According to DSC officials,\nit was not DSC\xe2\x80\x99s intention to exclude enterprise-wide business continuity planning in DSC\xe2\x80\x99s IT\nexamination guidance. In fact, the authors of the IT examination guidance were aware that the\nBCP booklet was being drafted, but were unaware of the detailed concepts that were being\ndeveloped in the BCP booklet. Also, DSC officials stated that it is not readily apparent where a\nreview of business continuity planning should occur in DSC\xe2\x80\x99s supervisory examination program.\nDSC officials stated that it would make sense that the BCP review occur during a safety and\nsoundness examination (instead of an IT examination) as part of the assessment of an\ninstitution\xe2\x80\x99s management practices since the development of a BCP would be the responsibility\nof the institution\xe2\x80\x99s senior management and would be incorporated into the institution\xe2\x80\x99s policy.\n\nAn institution\xe2\x80\x99s BCP is a key management control. Accordingly, a goal for DSC should be that,\nregardless of where the BCP review takes place, the results should be factored into the\ndetermination of the management component of the institution\xe2\x80\x99s CAMELS 6 rating.\n\nEnterprise-wide business continuity planning is critical to the safety and soundness of all\nfinancial institutions, regardless of the size, complexity, and/or risk. A disruption could occur\nfrom a natural disaster (e.g., fire, flood, severe weather, chemical spills, air contaminants);\nmalicious activity (e.g., terrorism, electronic attack, sabotage); and/or technical disasters (e.g.,\ntransportation system disruption or loss of telecommunications, equipment, software, or utilities\nsuch as power failures) that could impair the primary processing site and thereby make it\nunavailable for use. Moreover, a disruption could make key personnel and/or decision- makers\ninaccessible for maintaining the operations and services performed by the institution. Because\nDSC\xe2\x80\x99s approach is not designed to address the business or enterprise-wide aspects of business\ncontinuity planning for most FDIC-supervised institutions, DSC may not be adequately assessing\nwhether most FDIC-supervised institutions would effectively respond to a disruption and\nmaintain critical business functions until those functions are fully restored. An institution\xe2\x80\x99s\ninability to resume business operations could result in an adverse effect on the regional economy,\nreputation damage, operational downtime, and in the worst of circumstances, failure of the bank.\n\n\n\n\n6\n  Under the Uniform Financial Institutions Rating System, a numeric rating is assigned to reflect the assessment of\nthe bank\xe2\x80\x99s financial condition, compliance with laws and regulations, and overall operating soundness. The FDIC\xe2\x80\x99s\nrating of six elements--Capital adequacy, Asset quality, Management, Earnings, Liquidity, and Sensitivity to market\nrisk--is referred to as the CAMELS rating. CAMELS component and composite ratings range from 1 to 5, with a 5\nrating representing the most critically deficient level of performance.\n\n\n                                                        14\n\x0cRECOMMENDATION\n\nWe recommend that the Director, DSC, incorporate the enterprise-wide aspects of business\ncontinuity planning in DSC\xe2\x80\x99s supervisory approach to examinations of FDIC-supervised\ninstitutions.\n\n\nCORPORATION COMMENTS AND OIG EVALUATION\n\nThe Director, DSC, provided a written response, dated September 23, 2003, to a draft of this\nreport. DSC agreed with our recommendation. DSC\xe2\x80\x99s comments are presented in their entirety\nin Appendix III to this report. DSC\xe2\x80\x99s proposed action is sufficient to resolve the\nrecommendation. Because the proposed action is subject to interagency approval, DSC could\nnot provide a specific completion date. Accordingly, the recommendation will remain\nundispositioned and open for reporting purposes until we have determined that the agreed-to\ncorrective action has been completed and is effective. Appendix IV presents a summary chart\nshowing DSC\xe2\x80\x99s response to our recommendations.\n\n\n\n\n                                             15\n\x0c              APPENDIX I: OBJECTIVE, SCOPE, AND METHODOLOGY\n\nThe objective of our evaluation was to determine the adequacy of DSC\xe2\x80\x99s approach to assessing\nbusiness continuity planning at FDIC-supervised institutions. We focused on the frequency and\nextent to which DSC supervisory reviews address an institution\xe2\x80\x99s ability to protect against,\nrecover, and resume operations in the event of future disruptions or catastrophic events\n(including physical and electronic attacks).\n\nTo accomplish our objective, we performed the following work:\n\n\xe2\x80\xa2   Reviewed DSC\xe2\x80\x99s IT examination guidance, including work programs, examination\n    procedures, Regional Director Memoranda and FDIC Financial Institution Letters, and\n    Examination Documentation Modules, in order to gain an understanding of DSC\xe2\x80\x99s approach\n    to conducting reviews of business continuity planning at FDIC-supervised institutions.\n\n\xe2\x80\xa2   Reviewed the FFIEC\xe2\x80\x99s examination guidance, specifically, the 1996 Information Security\n    Examination Handbook, to gain an understanding of the work programs available to DSC\n    examiners in conducting IT examinations of Type III and Type IV institutions. We identified\n    those procedures relevant to the review of business continuity planning. Additionally, we\n    reviewed the BCP booklet that was released in May 2003 (after the start of our review) to\n    gain an understanding of how the FFIEC work programs have changed regarding business\n    continuity planning.\n\n\xe2\x80\xa2   Researched guidance issued by government and private industry sources on the subject of\n    business continuity planning to gain an understanding of the key concepts or elements of\n    business continuity planning in business entities. We focused our research on guidance that\n    was issued in response to the lessons learned from the September 11, 2001 terrorist attacks\n    and the importance of how BCPs contributed to the financial sector\xe2\x80\x99s ability to recover\n    operations.\n\n\xe2\x80\xa2   Identified key elements of business continuity planning that were common to the government\n    and private industry sources researched.\n\n\xe2\x80\xa2   Compared DSC\xe2\x80\x99s IT examination guidance to the common key elements identified by our\n    research in order to form a basis for our evaluation of DSC\xe2\x80\x99s approach.\n\n\xe2\x80\xa2   Interviewed DSC officials from Washington, D.C., and three regional offices (San Francisco,\n    Chicago, and Dallas/Memphis) that are responsible for implementing DSC\xe2\x80\x99s approach to IT\n    examinations.\n\n\xe2\x80\xa2   Interviewed DSC officials from Washington, D.C., who participate in FFIEC and FBIIC\n    activities.\n\n\xe2\x80\xa2   Reviewed examination workpapers for 10 sampled IT examinations. Our sample focused on\n    IT examinations that started after January 1, 2003 and ended before May 22, 2003 in order to\n    capture IT examinations that were conducted after issuance of the revised IT examination\n\n\n                                               16\n\x0c    guidelines in September 2002, with the exception of one examination. One examination of a\n    TSP was performed in May 2002. We selected this May 2002 TSP examination because it\n    was the most recent examination for which the FDIC was the lead agency. We judgmentally\n    selected IT examinations for institutions that were located in large metropolitan areas. We\n    also judgmentally selected institutions of various sizes and complexities to gain an\n    understanding of the relative differences in DSC\xe2\x80\x99s approach. Our sample was composed of\n    the following technology risk profile types of institutions:\n\n\n                        Technology Risk                     Number\n                          Profile Type                       Tested\n                                I                               1\n                               II                               1\n                               III                              4\n                               IV                               2\n                              TSPs                              2\n\n\n\n    From the sample of examinations, we reviewed, when available, the following documents in\n    the examination workpapers:\n\n        \xe2\x80\xa2   Report of Examination\n        \xe2\x80\xa2   Technology Profile Script and Scoring Matrix\n        \xe2\x80\xa2   IT Examination Questionnaire\n        \xe2\x80\xa2   Request Lists and Entry Letter\n        \xe2\x80\xa2   Pre-examination planning memorandum\n        \xe2\x80\xa2   On-site examination procedures and work programs used and examiner\xe2\x80\x99s\n            documentation of work performed.\n\n\xe2\x80\xa2   Interviewed examiners- in-charge, when necessary, to obtain clarifications and insights from\n    our reviews of workpapers.\n\n\xe2\x80\xa2   Reviewed feedback from DSC examiners who field-tested the BCP booklet during its\n    development phase.\n\n\xe2\x80\xa2   Interviewed officials from the General Accounting Office (GAO) to gain an additional\n    understanding of their work conducted on report number GAO-03-414, Potential Terrorist\n    Attacks: Additional Actions Needed to Better Prepare Critical Financial Market\n    Participants.\n\n\xe2\x80\xa2   The nature of our objective did not require reviewing related performance measures under\n    the Government Performance and Results Act, testing for fraud or illegal acts, or determining\n    the reliability of computer-processed data obtained from the FDIC\xe2\x80\x99s computerized systems.\n    We gained an understanding of relevant internal control activities by examining DSC\xe2\x80\x99s\n    applicable policies and procedures as presented in DSC manuals, IT examination guidance,\n    Regional Director Memoranda, and Examination Documentation Modules, when appropriate.\n\n\n                                               17\n\x0c   We decided not to test internal control activities because we concluded that the objective\n   could be met more efficiently by conducting substantive tests (workpaper reviews) rather\n   than placing reliance on the internal control system.\n\nWe completed field work at DSC offices located in Washington, D.C., and the San Francisco and\nChicago regional offices. We conducted our evaluation from March 2003 through July 2003, in\naccordance with generally accepted government auditing standards.\n\n\n\n\n                                               18\n\x0c                                     APPENDIX II: GLOSSARY\n\nTerm                                  Definition\nBusiness Impact Analysis (BIA)        The process of identifying the potential imp act of uncontrolled, non-\n                                      specific events on an institution\xe2\x80\x99s business process.\nDisaster Recovery Plan                Disaster recovery planning is an IT function; in the IT context, disaster\n                                      recovery plans document the actions that will be taken to restore\n                                      computer processing applications, telecommunications services, and\n                                      data after a disruption or disaster event to prevent or at least minimize\n                                      the impacts that such an event will have on the business.\nFinancial and Banking Information     FBIIC is charged with coordinating federal and state financial\nInfrastructure Committee (FBIIC)      regulatory efforts to improve the reliability and security of the U.S.\n                                      financial system. Treasury\'s Assistant Secretary for Financial\n                                      Institutions chairs the committee. Members of the FBIIC include\n                                      representatives of the Commodity Futures Trading Commission, the\n                                      Conference of State Bank Supervisors, the FDIC, the Board of\n                                      Governors of the Federal Reserve System (FRB), the National\n                                      Association of Insurance Commissioners, the National Credit Union\n                                      Administration (NCUA), the Office of the Comptroller of the Currency\n                                      (OCC), the Office of Federal Housing Enterprise Oversight, the Offices\n                                      of Homeland and Cyberspace Security, the Office of Thrift Supervision\n                                      (OTS), and the Securities and Exchange Commission.\n\nFederal Financial Institutions        The FFIEC was established on March 10, 1979, pursuant to Title X of\nExamination Council (FFIEC)           the Financial Institutions Regulatory and Interest Rate Control Act of\n                                      1978, Public Law 95-630. The FFIEC is a formal interagency body\n                                      empowered to prescribe uniform principles, standards, and report forms\n                                      for the federal examination of financial institutions by the FDIC, FRB,\n                                      NCUA, OCC, and OTS and to make recommendations to promote\n                                      uniformity in the supervision of financial institutions.\n\nGovernment Emergency                  GETS is an acronym for the Government Emergency\nTelecommunications Service (GETS)     Telecommunications Service card program. GETS cards provide\n                                      emergency access and priority processing for voice communications\n                                      services in emergency situations.\n\nMulti-Regional Data Processing        TSPs who qualify for the MDPS Program. An organization is\nServicers (MDPS)                      considered for the MDPS Program when it processes: mission-critical\n                                      applications for a large number of financial institutions that are\n                                      regulated by more than one agency, thereby posing a high degree of\n                                      systemic risk; or work from a number of data centers located in different\n                                      geographic regions.\nTechnology Profile Script (TPS)       Designed to be a basic standard measurement of the complexity and risk\n                                      of a financial institution\xe2\x80\x99s information technology (IT) functions, the\n                                      TPS is completed by DSC prior to every IT exam and is used to\n                                      determine examination scope and examiner resources. Upon\n                                      completion of the TPS, a score is calculated. The score becomes the\n                                      primary basis for classifying an institution into one of four technology\n                                      profile categories; Type I, Type II, Type III, or Type IV.\nTechnology Service Providers (TSP)    TSPs include independent data centers, joint venture/limited liability\n                                      corporations, and bank service corporations.\n\n\n\n\n                                                    19\n\x0cAPPENDIX III: CORPORATION COMMENTS\n\n\n\n\n                20\n\x0c                                 APPENDIX IV: MANAGEM ENT RESPONSES TO RECOMMENDATIONS\n\nThis table presents the management responses that have been made on recommendations in our report and the status of\nrecommendations as of the date of report issuance. The information in this table is based on management\xe2\x80\x99s written response to our\nreport and subsequent communication with management representatives.\n\n                                                                                                                                                       Open\n                                                                                                                      a                      b\n Rec.                                                                    Expected         Monetary        Resolved:         Dispositioned:              or\nNumber                   Corrective Action: Taken or                    Completion        Benefits        Yes or No           Yes or No               Closedc\n                               Planned/Status                             Date\n        1         DSC will request that the Management and\n                  Internal Control Evaluation Module be revised to\n                  incorporate the enterprise-wide aspects of BCP.\n                  This request will be presented to the Interagency         November\n                                                                                             N/A              Yes                   No                  Open\n                  Examination Documentation Module                            2003\n                  Maintenance Committee at its next meeting in\n                  November 2003.\n\n\na.\n     Resolved \xe2\x80\x93      (1) Management concurs with the recommendation and the planned corrective action is consistent with the recommendation.\n                     (2) Management does not concur with the recommendation but planned alternative action is acceptable to the OIG.\n                     (3) Management agrees to the OIG monetary benefits or a different amount, or no ($0) amount. Monetary benefits are considered resolved as\n                     long as management provides an amount.\n\nb.\n  Dispositioned \xe2\x80\x93 The agreed-upon corrective action must be implemented, determined to be effective, and the actual amounts of monetary benefits achieved\nthrough implementation identified. The OIG is responsible for determining whether the documentation provided by management is adequate to disposition the\nrecommendation.\nc.\n     Once the OIG dispositions the recommendation, it can then be closed.\n\n\n\n\n                                                                                21\n\x0c'